How many users were affected by the Instagram leak?

Approximately 17.5 million users had their data exposed in this incident.

What caused the data exposure?

The leak likely stems from an Instagram API exposure that occurred in 2024, allowing attackers to scrape user data.

Were passwords stolen in this incident?

No, the leaked dataset does not appear to contain user passwords, though it contains other sensitive contact info.

What specific data was leaked?

The data includes usernames, full names, email addresses, phone numbers, and partial physical addresses.

Why am I receiving unrequested password reset emails?

Attackers are using leaked contact info to trigger reset requests as part of phishing or account takeover attempts.

Incident

Instagram API exposure leaks 17.5 million user records

published: Jan. 11, 2026

Take action: If you have an Instagram account, activate MFA ASAP. If you receive password reset emails, go don't click on any links from the emails. Visit Instagram, reset your password and ignore further password reset emails if you yourself haven't requested a password reset.

Learn More

A threat actor named "Solonik" leaked data from 17.5 million Instagram users on BreachForums on January 7, 2026. The data likely came from an API exposure that occurred in 2024, where attackers bypassed security checks to scrape user profiles.

The leak consists of large JSON and TXT files in a structure that usually comes from an API response. Although the leak does not have passwords, the personal details allow for targeted scams and identity theft.

Cyber Digest reports that the data "...appears to be from the Instagram 2024 API breach, in which 489 million records were obtained. Further analysis shows that the original file dump was created in 2022 and shared in 2023,". Sybersecurity and OSINT researcher using the hanlde Seb on Twitter, reports: “The Instagram data leak file was created on 2022-06-20 10:37:22 and shared via a cloud service on 2023-03-24.”

The exposed data includes:

Usernames and full names
Email addresses
International phone numbers
Partial physical addresses
User IDs and contact details

The data is reportedly being sold in “batches” sorted by region and follower count, making influencers and high-profile business accounts primary targets.

Users are now reporting a flood of password reset emails. Attackers globally use the leaked contact info to trigger password reset requests. They hope to trick users into clicking phishing links or giving up account access. This is a common way to exploit partial data to get credentials after a large leak.

Experts suggest turning on two-factor authentication (2FA) and using unique passwords.

A Meta spokesperson denied that a data breach had occurred. It's not clear how attackers exfiltrated these 17 million accounts.
"We fixed an issue that allowed an external party to request password reset emails for some Instagram users. We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused," the Meta spokesperson said.

Instagram API exposure leaks 17.5 million user records

Read More
Tracelo, smartphone geolocation tracking breached, data of 1.4 …
StreamElements reports third-party data breach
ShopCourts e-commerce data sold on the dark web
Episource reports data breach exposing personal health information
Data breach at Chinese infosec firm Knowsec exposes …